Category: Security

Jul 22 2016

Malicious computers caught snooping on Tor-anonymized Dark Web sites

Enlarge / A map of hidden services directories detected as malicious.

The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators' identities.

All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the ".onion" addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed "honions." The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that's well outside of Tor rules.

"Such snooping allows [the malicious directories] to index the hidden services, also visit them, and attack them," Guevara Noubir, a professor in Northeastern University's College of Computer and Information Science, wrote in an e-mail. "Some of them tried to attack the hidden services (websites using hidden services) through a variety of means including SQL Injection, Cross-Site Scripting (XSS), user enumeration, server load/performance, etc."

Read 7 remaining paragraphs | Comments

Jul 21 2016

Phishing Attacks Employ Old but Effective Password Stealer

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.

_od001team_090316

The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.

_od003team_090316

This enabled us to see how the back-end of the panel works. The Zip file contains five files:

od004team_090316

The three files of interest are config.php, index.php, and install.php.

Config.php contains the password for the MySQL server they will set up.

od005team_090316

Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:

od006team_090316

We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009.

We also found this warning at the end of the code:

od007team_090316

Surely they would have remembered to delete this file!

_od008team_090316

The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.

od009team_090316

It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”

od010team_090316

This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.

_od014team_090316

The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.

The PWS targets the following applications:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
  • Safari
  • Yahoo Messenger
  • MSN Messenger
  • Pidgin
  • FileZilla
  • Internet Download Manager
  • JDownloader
  • Trillian

The following screen of the original Hackhound Stealer shows options for building the malware:

od015team_090316

This screen of the ISR Stealer builder was used by the actors behind the campaign.

od017team_090319

ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02.

od020team_090320

An encrypted URL.

od021team_090320

A decrypted URL.

We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January.

The following spear-phishing emails were sent to entice targets to download and execute the PWS:

 od013team_090316

od011team_090316

The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.”

_od016team_090316

One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames:

  • (RFQ__1045667machine-oil valves).exe
  • ButterflyCheckVALVES.exe
  • BALL VALVE BIDDING.exe
  • RFQ BALL VALVE.exe
  • Ball Valves with BSPP conection.exe

These names lead us to believe that industrial espionage might be a motive of the actors.

od018team_090320

We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions.

od019team_090320

We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels.

Prevention

Intel Security detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns.

 

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee.

Jul 21 2016

Snowden designs device to warn when an iPhone is ratting out users

A conceptual rendering of a “battery case” style introspection engine for an iPhone6. (credit: https://www.pubpub.org/pub/direct-radio-introspection)

Mobile devices have without a doubt brought convenience to the masses, but that benefit comes at a high price for journalists, activists, and human rights workers who work in war-torn regions or other high-risk environments. Now, NSA whistleblower Edward Snowden has designed an iPhone accessory that could one day be used to prevent the devices from leaking their whereabouts.

Working with renowned hardware hacker Andrew “Bunnie” Huang, Snowden has devised the design for what the team is calling the "Introspection Engine." For now, it's aimed only at iPhone 6 models, but eventually the pair hopes to create specifications for a large line of devices. Once built, the "field-ready" accessory would monitor various radio components inside the phone to confirm they're not transmitting data when a user has put the device into airplane mode. The hardware is designed to be independent from the mobile device, under the assumption that malware-infected smartphones are a fact of life in high-risk environments.

Detecting intoxicated smartphones

"Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface," Huang and Snowden wrote in a blog post published Thursday. "Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive."

Read 3 remaining paragraphs | Comments

Jul 21 2016

Google Releases Security Update for Chrome

Original release date: July 21, 2016

Google has released Chrome version 52.0.2743.82 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Chrome Releases page and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.